Add AMP Feature to WSA / SMA

AMP – Advanced Malware Protection

WSA – Web Security Appliance ( Aka – Ironport)

SMA – Security Management Appliance ( Centralised Management to push policies geographically located WSA)

Background Story – One of the Client place – having major impact due to Webroot, keep having issue with proxy, not able to process some request due to Webroot bug, Cisco not have much influence here, The Only Option leave as a Cisco customer- AMP is the solution, where cisco have Full control to diagnosis the issue.

SMA – 11.5.1-115 – Current running version

WSA – 11.5.2-020 for Web – Current Running version

Step 1 : Get the AMP License – either from smart License, only higher version only support smart license, so i have to contact cisco Licnese team to get feature keys.

Step 2 : Apply the Feature keys individual kit. ( this only by login to each kit)

3 – Enter the feature key and submit the key

Step 3 – now you can see the feature keys for AMP ( due to confidential i have removed other information)

Step 4 – Disable WebRoot and Enable AMP on WSA

Click Submit and commit the changes.

Step 5 : we going to enable same on SMA – Enable AMP and Disable Webroot.

Click Submit and commit the changes.

Step 6 : Make sure you configure AMP Enginer get updates from Internet automatically.

Navigate to Security Services > FileReputation and Analysis Under “AdvancedMalwareProtection,”click“ Edit the GlobalSettings”

Note: By default, it will be – on port tcp/32137 (if you have External Perimeter blocking this port AMP will not get updates). – so change the port accordingly, i have changed to 443 port

Save and commit the changes

You can view the AMP in Global Policy Under Access Polices

Web Security Manager>Access Policies you will need to configure Advanced Malware Protection under the Anti-Malware and Reputation Column. Click on the blue “Advanced Malware Protection”

Block instead of Monitoring ( Monitor not going to block)

Step 7 : you can view the reports on SMA

Sample report like below :

You can view-blocking from the user

I hope you enjoyed the document —-!

Happy Labbbbbbbbbing!